Giving Read only access for OIM users

Normally the helpDesk users has only read only access to the users information.Please find the below steps to give previlages as only READ access.

1.Login as Admin(XELSYSADM) User.

2.Manage Organization --> Search for the orgzanization-->Select the organisation

3.Select "Administrative Groups" from the drop down --> Assign(or create) the Group and Give "Read" Access.

4.Now go the user(say 785444) which needs the user with only read access

5.Assign the group to the user(785444)

6.NOw login as the user(785444)

7.The user will have only read access.

Code to create Accesspolicy through code OIM API

public class AccessPolicy {

static ReadProperty readProperty = new ReadProperty();
public long returnVal = -1;
public static String homeDir = readProperty.getProp("homeDir");
public static String policyDir = readProperty.getProp("policyDir");
public static String confDir = readProperty.getProp("confDir");
public static String username = readProperty.getProp("username");
public static String password = readProperty.getProp("password");
public static String providerUrl = readProperty.getProp("providerUrl");

public tcUtilityFactory ioUtilityFactory;
public tcUserOperationsIntf moUserUtility;
public tcGroupOperationsIntf moGroupUtility;
public tcAccessPolicyOperationsIntf moAccesspolicyutility;
public tcObjectOperationsIntf moObjectUtility;

private HashMap policy;
private long[] provObjKeys;;
private boolean[] revokeObjectIfNotApply;;
private long[] denyObjKeys={};
private long[] groupKeys = new long[1];

public String roleAuthenticate(String usr, String pass){
try {
System.setProperty("XL.HomeDir", homeDir);
System.setProperty("java.security.policy", policyDir);//server or client
System.setProperty("java.security.auth.login.config", confDir);//server or client
System.setProperty("java.naming.provider.url", providerUrl);
usr = username;
pass = password;
ConfigurationClient.ComplexSetting config =
ConfigurationClient.getComplexSettingByPath("Discovery.CoreServer");
Hashtable env = config.getAllSettings();
System.out.println("test1");
tcUtilityFactory ioUtilityFactory = new tcUtilityFactory(env,usr,pass);
System.out.println("Getting utility interfaces...");
System.out.println("Connection Established");
moUserUtility = (tcUserOperationsIntf)ioUtilityFactory.getUtility("Thor.API.Operations.tcUserOperationsIntf");
moGroupUtility = (tcGroupOperationsIntf)ioUtilityFactory.getUtility("Thor.API.Operations.tcGroupOperationsIntf");
moAccesspolicyutility=(tcAccessPolicyOperationsIntf)ioUtilityFactory.getUtility("Thor.API.Operations.tcAccessPolicyOperationsIntf");
moObjectUtility=(tcObjectOperationsIntf)ioUtilityFactory.getUtility("Thor.API.Operations.tcObjectOperationsIntf");
Logger logger = oracle.j2ee.rmi.RMIMessages.getLogger();
logger.setLevel(Level.OFF);

return "Valid";
} catch(Exception e){
System.out.println("Exception ");
e.printStackTrace();
return "Invalid";
}
}

public AccessPolicy()
{
policy = new HashMap();

}

public long getGroupKey(String obj){
long key = 0;
HashMap userMap = new HashMap();

try {
userMap.put("Groups.Group Name", obj);
tcResultSet moResultSet = moGroupUtility.findGroups(userMap);

for (int i=0; i < moResultSet.getRowCount(); i++){ moResultSet.goToRow(i); key = moResultSet.getLongValue("Groups.Key"); } }catch(Exception e){ e.printStackTrace(); } return key; } public long getObjectKey(String object) { HashMap objectMap = new HashMap();
long key = 0;

try {
objectMap.put("Objects.Name", object);
tcResultSet moResultSet = moObjectUtility.findObjects(objectMap);
if (moResultSet.getRowCount()==0)
{
System.out.println("Cannot get key value");
}
else
{
moResultSet.goToRow(0);
key = moResultSet.getLongValue("Objects.Key");
System.out.println("Key value " +key);
}
}catch(Exception e){
e.printStackTrace();
}
return key;
}

public void setPolicy(String policyName, String policyDescription) {

policy.put("Access Policies.Name", policyName);
policy.put("Access Policies.Description", policyDescription);
policy.put("Access Policies.Note", policyName);
policy.put("Access Policies.Retrofit Flag", "1");
policy.put("Access Policies.By Request", "0");

}

public HashMap getPolicy() {
return policy;
}

public void setProvObjKeys(String objects) {

Scanner sc = new Scanner(objects).useDelimiter(";");

int count =0;
while(sc.hasNext())
{
count++;
sc.next();
}

System.out.println("Object count :" + count);
provObjKeys= new long[count];
revokeObjectIfNotApply= new boolean[count];

sc = new Scanner(objects).useDelimiter(";");
int i=0;
while(sc.hasNext())
{
String obj =sc.next();
System.out.println("Adding object" + obj);
provObjKeys[i]=getObjectKey(obj);
revokeObjectIfNotApply[i]=true;
i++;
}

}

public long[] getProvObjKeys() {
return provObjKeys;
}

public void setGroupKeys(String groups) {

Scanner sc = new Scanner(groups).useDelimiter(";");
int i=0;
while(sc.hasNext())
{
groupKeys[i]=getGroupKey(sc.next());
}
}

public long[] getGroupKeys() {
return groupKeys;
}

public boolean[] getRevokeObjectIfNotApply() {
return revokeObjectIfNotApply;
}

public long[] getDenyObjKeys() {
return denyObjKeys;
}

public long createAccessPolicy()
{
long policyKey = 0;

try {

policyKey= moAccesspolicyutility.createAccessPolicy(getPolicy(), getProvObjKeys(),getRevokeObjectIfNotApply(),getDenyObjKeys(),getGroupKeys());

} catch (tcAPIException e) {
e.printStackTrace();
} catch (tcObjectNotFoundException e) {
e.printStackTrace();
} catch (tcGroupNotFoundException e) {
e.printStackTrace();
} catch (tcInvalidAttributeException e) {
e.printStackTrace();
}

return policyKey;

}
public static void main (String[] args)
{
AccessPolicy temp = new AccessPolicy();
temp.roleAuthenticate("adminuser","test123");//MAkes connectio with OIM
temp.setPolicy("tempcode2","tempcode");//Passing accesspolicy name and description
temp.setProvObjKeys("OID;"resource"); //Policy name
temp.setGroupKeys("testgroup");//Group name
temp.createAccessPolicy();



}

}

Code to create OIM groups thorugh API

public void creategroup(String creategrp){

HashMap userMap = new HashMap();
try{
userMap.put("Groups.Group Name", creategrp);
System.out.println("Group created is "+creategrp);
moGroupUtility.createGroup(userMap);

}catch(Exception e){
System.out.println(e);
}
}

TO check whether the Schedule task is up and Running

Schedule Task Up

To make sure if your schedule task is up and running, you may go to
http://localhost:8080/xlScheduler

EG:http://localhost:7777/xlScheduler

Code to enable the resources in resource profile for OIM users

If a user is disabled and all the resources are disabled then it has to enabled using code.
please find the code for that below.

public void Rejoin(String uid){
System.out.println("Inside Rejoin Method");
this.roleAuthenticate(username,password);
String str = "";
HashMap userMap = new HashMap();
try {
tcResultSet moObjectResultSet = moUserUtility.getObjects(getUserKey(uid));
userMap.put("Users.User ID", uid);
System.out.println("UID==>"+uid);
tcResultSet moResultSet = moUserUtility.findUsers(userMap);
for (int i=0; i < moResultSet.getRowCount(); i++){ moResultSet.goToRow(i); String Action = moResultSet.getStringValue("Users.Action"); System.out.println("Action value==>"+Action);
// if(Action.equals(Actionvalue_Rejoin)){
if(moObjectResultSet.getRowCount() < 1) { System.out.println("No Objects to deprovision."); } else { System.out.println("Starting to Deprovision Objects ..."); for (String column : moObjectResultSet.getColumnNames()) { System.out.println(column); } for (int j=0; j < moObjectResultSet.getRowCount(); j++){ moObjectResultSet.goToRow(j); String ResourceName = moObjectResultSet.getStringValue ("Objects.Name"); String object = moObjectResultSet.getStringValue("Users-Object Instance For User.Key"); String Status=moObjectResultSet.getStringValue("Objects.Object Status.Status"); long tObjKey = new Long(object).longValue(); System.out.println("ResourceName=== > "+ResourceName);
System.out.println("object=== > "+object);
System.out.println("Status=== > "+Status);
if(Status.equals("Provisioning"))
{
System.out.println("Ignoring the resources with STATUS as provisioning");
}
else{
String oim="Success";
//moUserUtility.disableAppForUser(getUserKey(uid), tObjKey);
//moUserUtility.revokeObject(getUserKey(uid), tObjKey);
moUserUtility.enableAppForUser(getUserKey(uid),tObjKey);
}
}
System.out.println("Resources Enabled for user ..");
}
}
//}
}
catch(ArrayIndexOutOfBoundsException be){
System.out.println("Exception in deprovision==> "+ be);
}
catch(Exception e ){
System.out.println("deprovision==> Exception e");
e.printStackTrace();
}
}

Code to revoke all the resouce that is provisioned to a user

System.out.println("Starting to Deprovision Objects ...");
for (int j=0; j < moObjectResultSet.getRowCount(); j++){
moObjectResultSet.goToRow(i);
String ResourceName = moObjectResultSet.getStringValue("Objects.Name");
String object = moObjectResultSet.getStringValue("Users-Object Instance For User.Key");
long tObjKey = new Long(object).longValue();
System.out.println("Deprovisioning Object "+ResourceName);
//moUserUtility.disableAppForUser(getUserKey(uid), tObjKey);
moUserUtility.revokeObject(getUserKey(uid), tObjKey);
}

System.out.println("Deprovisioning Complete...");
}

Importing certificates in OIM(9102) using keytool

1.Get the certifivate from the target system that has to be imported in IDM.

To import
keytool -import -alias ALIAS -file CER_FILE -keystore MY_CACERTS -storepass PASSWORD


Example:

/u01apps/oraclesoa/jdk/jre/bin/keytool -import -alias OC4J -file /u01apps/PROD/NewCert/latestCrtAD/ProdAD.cer -keystore /u01apps/oraclesoa/jdk/jre/lib/security/cacerts -storepass changeit


To verify the certificates that has to be imported successfully

keytool -list -alias ALIAS -keystore MY_CACERTS -storepass PASSWORD

Example:

/u01apps/oraclesoa/jdk/jre/bin/keytool -list -alias OC4J -keystore /u01apps/oraclesoa/jdk/jre/lib/security/cacerts -storepass changeit


To delete

keytool -delete -alias Alias -keystore MY_CACERTS -storepass PASSWORD

IDM disaster recovery

In Production environment there are unavoidable cases that the live servers might go down.During this failure time disaster recovery should happen.Considering that there are two live environment(DC and DR)
In case of failure in DC,DR should be brought up

Prerequisites

1.Export the OIM database schema using export from DC to DR.
2.Take the backup of the OIM_HOME in both the nodes 3.Backup the applications server files and its directories

Changes to be done in OIM

1.Bring down the application server in both the nodes.
Execute the command as given below.Goto the path

$ORACLE_HOME/opmn/bin
And execute ./opmnctl stopall

2.Copy the .xlKeystore ,.xldatabase and xlconfig.xml file from DC-Prod machine and copy these files in DR-Prod

Files to be copied	Path of the file in DC-Prod	Path of the file in DR-Prod
.xlkeystore	oim_server/xellerate/config	oim_server/xellerate/config
.xldatabasekey	oim_server/xellerate/config	oim_server/xellerate/config
Xlconfig.xml	oim_server/xellerate/config	oim_server/xellerate/config

3. Edit the xlconfig.xml file and locate the
directdb……DirectDB
Change the database details from DC-Prod to DR-Prod

4. Restart the application server in both the nodes.

Changes in DB

1.Take the backup of both dc-prod database as well as dr-prod database
2.Make sure that the DB schema username is same in both DC as sell as DR database.
Ex: xloim in both the databases.
3.Export the database from DC-Prod and import it into DR-Prod
4.Restart the database in DR-Prod.

Tips to Troubleshoot

1.After following the steps to cloning and still you are unable to login to the application using xelsysadm , login to database instances in both DC-Prod and DR-Prod and execute

select usr_password from USR where USR_LOGIN='XELSYSADM';

This will query a encrypted value.The encrypted value should be same in both DC and DR. If the value is not same, then the password is different for both the databases.

2.Login to the Admin Console and change the password as usual.
3.Open xlconfig.xml present in OIM_home/xellerate/config folder.
4.In the scheduler section, add the XLPassword line as shown below:

scheduler
xlusername xelsysadm XLUserName
xlpassword encrypted="false">NEW PASSWORD XLPassword
...
Scheduler

5.Restart the OC4J application server.
6.After confirming that you can log on to the Admin Console with the new password AND that the scheduler can start tasks with the new log on information, you can delete the backup xlconfig.xml.0 file that now exists in the config folder.

Deploying SPML webservice in OIM

Note: While installing Oracle Identity manager itself,You will have the OIMSpmlWS.ear in the OIM_HOME/SPMLWS

OIM Version:9102(BP12)
Application server:Oracle application server

To deploy

1.Goto $OIM_HOME/setup and execute

#./spml_oc4j.sh appserver_admin_password oim_db_user_password

eg#./spml_oc4j.sh admin123 admin123

Check if the deployment is done properly in the log $OIM_HOME/Logs/spml-oc4j.log

For non-clustered environment performing the above step is enough.

For clustered environment, you have to perform an additional step.

1.Open OC4J_HOME/j2ee/OC4J_instance/config/application.xml


In the imported-shared-libraries section of the application.xml file, change import-shared-library name="apache.commons.logging" to remove-inherited name="apache.commons.logging".